PowerShell Steganography

Any programming language that can have access to the pixels of a picture file can do a form of byte and pixel modification to hide data within the pixel bytes.

The less of a degree you modify the pixel data the less change that the modified file will be noticed as hiding some form of data.

To me this is more of true steganography than the types that just append an exe to the end of the picture data because it is modifying the the pixel data.

The downside is you have to have some program or script to decode and extract the data which will point directly to the picture file used.

These type picture files picture files do not automatically run the data within whereas those with embedded shellcode  or exe files can be run by certain programs when viewed.

There are many ways that the hidden data can be obfuscated and stored in the picture file but at some point it still has to be extracted and that leaves a trail of instructions how it is done.

The first time I ran into this was in November of 2018 in this Twitter thread https://twitter.com/Ledtech3/status/1060543927470735362

So let’s just take a closer look at the part that decodes the picture file.

SiptForpng

Here on the first and second line we see it is creating a new objet for working with bitmaps and then opening the the file from the internet instead of downloading then opening it.

The next line it is getting each pixel byte from 0-427.

If we look at the properties of the downloaded picture we see the width is 428 pixels wide.

Pixelwidth

It will next extract the RGB values from the pixels and then do the math.

The “B” would be the “B” value and the “G” would be the G” of the RGB in this case.

If we take a look at the “screenshot” of the the picture file it is nothing special and no real indication that it is hiding anything.(I didn’t want to add the real encoded file here)

ScrnOfPic

So we need to open the file extract each pixel and decode them using the function in the PowerShell then output the decoded string. I have seen several different ways of encoding the pixel data this is only 1 of them.

As usual I have built a tool to do this the easy way.

One more thing we need is the string length from the output so we are also not outputting the extra garbage data. We can get that from the get string with a length of 0 to 1907 .

Select the file, Input the output length and click a button.

ExtractedPS

Dealing with the output is another matter.

This sample uses a function that will reverse a string , then it will do several char replace before the final decoding.

Here it is after the reverse string.

psoutput

This is what most of the samples I’ve looked at do. They have more layers of encoding usually from Invoke-Obfuscation or a similar tool.

The next question is where did this picture encoding come from ?

It came from here https://github.com/peewpw/Invoke-PSImage we also find a entry in the MITRE | ATT&CK framework here https://attack.mitre.org/software/S0231/

Although the code to decode the picture file remains mostly the same the variables are usually all different including the height and width of the picture file and the variable names for the function calls.

The tool to extract the data can be found on my Github here https://github.com/PCsXcetra/Decode_PS_Stego.

That’s it for this one.

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, PowerShell, Programming and tagged , , , . Bookmark the permalink.

1 Response to PowerShell Steganography

  1. Pingback: PowerShell Steganography

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s